Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

do omit exp if ExpiresAt is zero value #334

Merged
merged 2 commits into from
Nov 12, 2018
Merged

do omit exp if ExpiresAt is zero value #334

merged 2 commits into from
Nov 12, 2018

Conversation

nerocrux
Copy link
Contributor

@nerocrux nerocrux commented Nov 9, 2018
edited
Loading

Related issue

  • None

Proposed changes

  • Make sure exp will be omitted if GetExpiresAt(AccessToken) is nil or zero value (no expiration)
  • Currently, even if GetExpiresAt(AccessToken) is zero value, Unix() will be called, and ExpiresAt will be set to -62135596800 because golang's zero time is 0001-01-01T00:00:00Z but not 1970-01-01T00:00:00Z

Checklist

  • I have read the contributing guidelines
  • I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security
    vulnerability, I confirm that I got green light (please contact hi@ory.sh) from the maintainers to push the changes.
  • I signed the Developer's Certificate of Origin
    by signing my commit(s). You can amend your signature to the most recent commit by using git commit --amend -s. If you
    amend the commit, you might need to force push using git push --force HEAD:<branch>. Please be very careful when using
    force push.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

Further comments

  • Currently, even if we introspect RefreshToken, AccessToken's ExpiresAt will be return in exp. Not sure if this is corrent. Maybe it's better to always omit exp field if we introspect RefreshToken, because there is no expiration time for RefreshToken.
  • If omit exp for introspect RefreshToken is good, I will fire another PR.

Thank you!

@nerocrux
do omit exp if ExpiresAt is zero value
72ccfe3 
Signed-off-by: nerocrux <nerocrux@gmail.com>
@aeneasr
Copy link
Member

aeneasr commented Nov 9, 2018

Currently, even if we introspect RefreshToken, AccessToken's ExpiresAt will be return in exp. Not sure if this is corrent. Maybe it's better to always omit exp field if we introspect RefreshToken, because there is no expiration time for RefreshToken.

Due to community feedback, I think it would make sense to have refresh tokens expire optionally. Basically you would be able to set a lifespan, but if none is set the refresh token expires after that time. I think the endpoint should still be able to omit the expiry if it's not set!

aeneasr
aeneasr reviewed Nov 9, 2018
View reviewed changes
introspection_response_writer.go
@@ -202,6 +202,11 @@ func (f *Fosite) WriteIntrospectionResponse(rw http.ResponseWriter, r Introspect
return
}

expiresAt := int64(0)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a test (or modify an existing one) for this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, will do later.

@nerocrux nerocrux force-pushed the nerocrux/fix_introspect_response_exp branch from 9a7fc1d to 16d6d54 Compare November 10, 2018 15:48
@nerocrux
Copy link
Contributor Author

@aeneasr I have added some tests for this PR. Please take a look at it if you have time.

Due to community feedback, I think it would make sense to have refresh tokens expire optionally. Basically you would be able to set a lifespan, but if none is set the refresh token expires after that time. I think the endpoint should still be able to omit the expiry if it's not set!

Got it.
By the way, I'm totally agree with your opinion on refresh token's expiration here. I don't think refresh token's expiration will make our system safer, and to manage expiration time of a certain token may increase the complexity.

Have a nice weekend!

@nerocrux nerocrux force-pushed the nerocrux/fix_introspect_response_exp branch 2 times, most recently from fed290b to 0b92ccb Compare November 10, 2018 16:36
@nerocrux
add test
10f2864 
Signed-off-by: nerocrux <nerocrux@gmail.com>
@nerocrux nerocrux force-pushed the nerocrux/fix_introspect_response_exp branch from 0b92ccb to 10f2864 Compare November 10, 2018 16:38
@aeneasr
Copy link
Member

aeneasr commented Nov 12, 2018

Agreed, thank you for the changes!

@aeneasr aeneasr merged commit 6d50176 into ory:master Nov 12, 2018
budougumi0617 added a commit to budougumi0617/fosite that referenced this pull request May 10, 2019
@budougumi0617
introspect: Omit exp if ExpiresAt is zero value (ory#334)
b88eadf 
Signed-off-by: nerocrux <nerocrux@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nerocrux @aeneasr